RISK MANAGEMENT

and
AUDIT PLAN

2008 - 09
Preface

This report summarises the significant risks identified by the Department for the
2008-09 financial year. The likelihood and consequence of the risks have been
based upon an assessment by Department personnel using the Department of
Education and Training (DET) Risk Management Framework and in accordance with
the current Australian New Zealand Standard on risk management (AS/NZS
4360:2004).

This risk assessment is not by nature a detailed control review or audit and as such,
cannot provide assurance that all risks have been identified. Continual monitoring of
the risks and their commensurate treatment and/or mitigation is both a management
responsibility and a requirement of any comprehensive risk management program as
prescribed by the Department’s risk management framework.

This report is made available for the internal use of the management of the ACT
Department of Education and Training only and should not be relied upon by any
external party without the written approval of the Department.

ii
Contents

1 Introduction and overview

1.1 Why business risk? 1

1.2 What is a Risk Management and Audit Plan? 1

1.3 Identifying risks across the Department 1

1.4 Risk methodology 2

1.5 Measuring risks in terms of likelihood and consequence 2

2 Summary of key risks and impact

2.1 Summary of key business risks 3

3 Performance measures
3.1 Performance indicators 3

4 Strategic Risk Management and Audit program 4

Appendix A – Summary of key business risks

A-1 Strategic management risks 5
A-2 Core business risks 7
A-3 Resource management risks 9
A-4 Integrity risks 10

Appendix B – 2008- 09 Review schedule for the Audit Committee 11

Appendix C – Risk Assessment Matrix 12

iii
1 Introduction and overview
1.1 Why business risk?
A high level business risk assessment of the Department’s operations provides both
the Executive and Audit Committee with an overview of the key and significant risks
facing the Department.

This assessment also assists the Executive in ensuring the appropriate elements of a
corporate governance framework are maintained. Business risk assessment is
viewed as an important tool during the strategic and business planning cycles to
assist in prioritising resource allocation and/or strategic focus.

In setting up a business risk assessment exercise, it is important to:

• adopt a consistent framework for data gathering

• engage with a wide range of management and staff through interview and
consultation
• review departmental business plans to distil key risks.

This document is the overarching Risk Management and Audit Plan (RMAP) for the
Department and consolidates and distils key risks from all directorates and units of
the Department.

1.2 What is a Risk Management and Audit Plan?

This Risk Management and Audit Plan contains two key elements. The first is the
risk management plan that outlines an action plan for implementing risk treatments
for those risks identified by the business risk assessment as being at a level of risk
that is unacceptably high and may impede the Department from achieving its
objectives. The second element is the internal audit plan that outlines the annual
audit program for the Department focusing on high risk activities to ensure that the
identified controls are working effectively and in the most efficient manner. The plan
focuses on the key or critical risks only.

1.3 Identifying risks across the Department

The business risk assessment was developed from Directorate and unit business
plans, through a series of interviews with senior executive staff in the two month
period, March to April 2008, and from discussion within the department’s Board of
Management and Audit Committee.

The audit program was developed primarily from the results of the business risk
assessment process. However, the program also incorporates exposures identified
through, or informed by:
• outcomes from the 2007/08 School Audit program
• the Department’s rolling audit program of the Chief Executive’s Finance
Instructions (CEFI’s)
• a review of previous audits undertaken by the ACT Auditor General.

1
1.4 Risk methodology
One of the issues in the conduct of a business risk assessment is how to conduct the
assessment process in a consistent and structured fashion. It is important that a
consistent approach to classification and analysis is taken so that all relevant risks
are considered and risks can be given the appropriate level of attention.

In compiling this business risk assessment a corporate model was used that enables
the Department to relate to its environment by means of the following three types of
processes:

1. Strategic management processes - focussed on the overall direction

and management of the Department and includes planning, decision
making and reporting.

2. Core business processes - focussed on the core functions / activities

undertaken by the Department in order to attain its strategic objectives.

3. Resource management processes - focussed on the management of

the Department’s key resources (ie. people, assets, information and
finance).

In addition to this, and in accordance with the ACT Integrity Policy, the risk
assessment also reviewed the Department’s exposure to integrity risks in each of
these three processes. These risks have been compiled and reported under the
heading of Integrity risks.

1.5 Measuring risks in terms of likelihood and consequence

Whilst risks have been identified using the key areas from the corporate model, the
analysis of the risks has been based on the Department’s risk management
framework. Consistent with AS/NZS 4360:2004, this framework defines risk as the
chance of something happening that will have an impact upon the objectives of an
organisation, with risk being measured in terms of likelihood and consequence.

It is important to note that the likelihood and consequence scores are directly
impacted by the assessment of the effectiveness of existing controls. Only those
risks that are not adequately controlled and/or have a significant consequence rating
are captured and reported in this RMAP.

Through the internal audit program, the Audit Committee and management’s own
actions, the Department is ensuring that effective internal controls are operating to
minimise the likelihood or consequence of risk events. The latter describes one of the
functions of the corporate governance model – a monitoring role.

Included at Appendix C is the risk assessment matrix and the descriptors for the
likelihood and consequence ratings used in the business risk assessment process.

It should be stressed that the risks outlined in this document and the Risk
Management Plans are possible risk events, not risks that have actually occurred.
They are risk events, which could occur and if so, would have a substantial impact on
the Department’s corporate objectives.

2
2 Summary of key risks and impact

2.1 Summary of key business risks

Set out at Appendix A is a summary of the Department’s key business risks using the
three areas from the corporate model and a fourth area of integrity to categorise
these risks. These summary tables identify the current risk rating, strategies to
mitigate the risk, the area responsible for implementing the strategies, the target risk
rating, and the timeframe in which the action is to be taken.

3 Performance measures

3.1 Performance indicators

The following performance indicators have been incorporated to provide a measure
of the performance of the RMAP and the effectiveness of the Department’s
implementation and utilisation of risk management as a key management tool and
fundamental to its corporate governance arrangements.

• No severe insurable loss to disrupt the Department’s financial

position.

• All new projects (in excess of $100,000 or where a significant risk to

the Department exists) to be assessed for risk in accordance with
the Department’s risk management framework prior to initiation.

• All matters identified in the Risk Management and Audit Plan to be

addressed in a timely manner and reported to the Audit Committee
in accordance with the schedule at Appendix B of the RMAP.

• No revenue loss or significant event to disrupt the Department

through improper conduct by staff.

4 Risk Management and Audit Program 2008-09

The following table indicates the risk management and audit program for 2008-09. At
Appendix B is a schedule of reviews/tasks identified in the program that are to be
reported against to the Audit Committee throughout 2008-09.

3
 Risk Management and Audit Program 2008-09

Risk Assessments Audit

Organisation Resource Education Project Organisation Resource Education

Wide Management Wide Management

Business Attraction and 2008-09 Budget School Capital BCP Testing Capital Works • Follow-up audit of
Continuity Plan Retention Initiatives Works (IT & Schools) Project Management BSSS. Theme – IT &
of staff methodology BCP IT

COAG agenda Market Share Pacific School Compliance with

Games Records Schools Audit
Statutory Management • Principal self audit
Obligations
• Review of SSAP
• Ongoing school
Safe Schools CEFI’s audits

School Safety Audits

P-2 (Early
Learning)
Strategy
School Census 2009

Other Compliance Requests RM&A Activities

External ACT Audit Office Audit Organisational Insurance Governance

Compliance Committee risk profile update

Fraud Audit Report Risk Training

Follow-up Methodology

4
Strategic management risks Appendix A-1

Issue/Activity Key Risks Initial Risk Mitigation Strategies Target Responsible Time
Risk Risk area / officer Frame
Rating Rating

• School designs do not meet • Project management done by Project Control Director
educational and community needs Board. Procurement processes ensure rigorous School Feb 2011
• Construction of new schools not evaluation of Project Managers’ capacity to deliver Capital
completed on time projects. Works
• Construction of new schools • DET has regular meetings with ACT Procurement
Capital Works exceeds budget Solutions and Projects Managers to monitor
Program • School refurbishment and the 8 progress and funding. 5
Repairs and Maintenance programs
are not on time
• School refurbishment and the
Repairs and Maintenance programs
exceed budget

• Positions vacant for an extended
period
• Lack of good workforce data
• Loss of key personnel
• Internal staff not being trained for
future vacancies
• Low staff satisfaction
• Department not regarded as an
Attraction and
employer of choice
Retention of Staff • Insufficient casual staff to meet
needs of schools and line areas
• Review current succession planning arrangements Director ongoing
across the Department Human
• Work with the whole of government Attraction and Resources
Retention strategy
• Workforce data is collected, analysed and used for
planning
• Organisation climate is measured and reported
• Performance Management in place for all staff
8 • Rewards and Recognition programs 4
• Staff Equity and Diversity statement encourages
staff retention
• Flexible employment arrangements through Special
Employment Agreements attract new staff
• Flexible leave arrangements (leave without pay
after three years)
• Effective injury management
• Safe workplace strategies are implemented

• Extreme student behaviour
• High level of critical incidents in
schools
• School environments are not safe
• Student behaviour reported in
Safe Schools media
• Dedicated pastoral care coordinators in every high Executive ongoing
school Director
• Revise a range of policies that provide guidance (Schools)
and direction of schools in promoting safe school
environments Directors
7 • Policies updated and in place 5 Schools
• Incidents managed according to policy
• Ongoing program of school safety audit Principals
• Appropriate training provided
• Injury prevention strategies developed and
implemented with Shared Services

5
Strategic management risks
Issue/Activity Key Risks Initial Risk Mitigation Strategies Target Responsible Time
Risk Risk area / officer Frame
Rating Rating

• New P-2 school model will not be • Communication / marketing strategies developed Director End of
viable and implemented Indigenous 2009
• Interagency arrangements • Governance arrangements agreed and in place Education
P-2 (Early Learning) ineffective • Effective project management in place and Early
strategy • Construction not completed on time
7 • Regular communication and consultation with
5 Learning
• Preschool / primary school principals and school committees
amalgamation unpopular Director
School
Capital Works

2008-09 Budget • Initiatives not implemented on • Professional support from critical friends and key Directors 2011
schedule academics
initiatives • Inability to attract new project staff • Coordinated PL and resources – target areas of
• Implementation not within budget need
• Quality Teaching • Desired outcomes not delivered • Effective project management in place
• Literacy and numeracy • Professional Learning need not met • Governance arrangements agreed and in place
• Leading for Leadership • Student needs not met 7 • Consultation mechanisms in place with key 4
• Spice Program • Inadequate reporting stakeholders, including principals
• Transitions and Careers • Regular monitoring of project management through
• Students with a standing committees and routines with DCE and ED
disability
• Indigenous programs

• Parents and students do not • Dedicated pastoral care coordinators in every high Executive ongoing
choose ACT public schools school and careers support in colleges Director
• Ineffective marketing of ACT public • Revise a range of policies that provide guidance (Schools)
schools and direction of schools in promoting safe school
• Further decline in student environments Directors
enrolments • $90 million over four years to significantly improve Schools
Market Share 7 overall quality of public school infrastructure
4
• Improved marketing of government schools Principals
• Collect data on reasons why students move and
choose to come to public schools Director
Measurement,
Monitoring
and Reporting

• Failure to meet COAG timelines • Timely delivery of briefs and reports Chief Dec 2008
• Inability to deliver on COAG • Effective project management Executive
initiatives • Identify and establish pool of ‘COAG Specialist”
• Failure to ensure ACT position is staff with enough flexibility to work with tight Deputy Chief
COAG Agenda reflected in COAG decisions 7 deadlines 3 Executive
• ACT Budget does not align with • Establish new position in MSR to coordinate COAG
COAG requirements papers and policy advice Executive
• Reporting regime not met • Ensure close liaison with CMD, Treasury and other Directors
• Loss of/reduction in funding levels government agencies to align whole-of-
Government response

6
Core business risks Appendix A-2
Issue/Activity Key Risks Initial Risk Mitigation Strategies Target Responsible Time
Risk Risk area / officer Frame
Rating Rating

• Business Continuity Plan does not • Consultant engaged to develop Business Continuity Executive 2009
meet needs of Department Plan Director
• Disaster occurs and DET unable to • BCP distributed to all work sites Business
recover • Training plan to be developed and implemented Improvement
• Staff not adequately trained or • BCP tested
aware of correct procedures • Schools advised of the requirement to have Director
• Line areas not fully prepared emergency management plans in place in Governance
• Capacity of internal IT systems accordance with the Department’s Emergency Regulation
(BSSS, TaTE and HR) to adapt Management Framework and Risk
Business Continuity to changing environment and • Assistance provided to schools in developing plans
Planning
7 4 Director
demands • IT systems BCP plans developed
Schools

Director
Training and
Tertiary
Education

Executive
Officer BSSS

• Department’s service requirements • Monitor service delivery Director Ongoing

not met • Regular meetings with Shared Service staff Finance &
Shared Services • Capacity of Shared Services to • Feedback provided to Shared Services Centre Facilities
deliver a quality of service • Action plans developed with Shared Services to
• Financial Services • Reduced scope of services overcome problem areas. Director
• Human Resources • Transfer of information and poor 7 • CEFI’s are being reviewed 3 Human
• Procurement communication between • Finance and IT Services Level Agreements Resources
• Information Technology Department and Shared Services (SLA’s) are in place
Director
• Audit of financial SLA’s first followed by audit of HR
aspects Education IT

• Games postponed or cancelled
• Major disruption to Games program
• Insufficient officials to run events
Pacific School Games • Venues unavailable for events
• Defection of overseas competitors
and officials
• Four layers of Governance/committees in place Executive Dec 2008
and functioning effectively Director
• Comprehensive risk assessment completed and
6 regularly updated 3
• Security exercise undertaken
• Regular briefings provided to Management Council
and Cabinet

7
 Issue/Activity Key Risks Initial Risk Mitigation Strategies Target Responsible Time
Risk Risk area / officer Frame
Rating Rating

• Adequate guidelines not available • Training in records management processes and Director Ongoing
• Lack of staff training procedures. Governance,
• Poor records management culture • Obligations under Territory Records Act reviewed Regulation
• Non-compliance with legal and • Implement recommendations per Auditor Generals and Risk
Records Management statutory obligations 6 audit 3
• Lack of capacity to respond to • Assess capacity in unit and allocate additional
changes in the Territory Records resources if required
Management Act

8
Resource management risks Appendix A-3
Initial Target
Responsible
Issue/Activity Key Risks Risk Risk Mitigation Strategies Risk Timeframe
area/officer
Rating Rating

• Inadequate internal systems for • Chris 21 management group has DET Director Ongoing
collecting data representation. Human
• Data not regularly maintained • HR Program Review and implementation of Resources
HR Data • Shared Services not collecting 7 recommendations 4
required data • Chris21 data protocols developed and used
• Chris21 data not reliable

• Lack of staff knowledge • Conduct school and financial audits Director Ongoing
• Non-compliance with department • Review procurement guidelines Finance &
Financial management requirements • Provide finance training Facilities
in schools • Fraud and misappropriation 7 • Access to list of Delegations through Index 3
• Obsolete procedures or • Monitor through SSA with SSC Finance
documentation • Inform School Boards of their obligations

• Accommodation does not meet • Regular reporting and briefing to SET Director Dec 2008
Central Office future needs of the Department • Monitor budget closely Finance &
Accommodation • Insufficient space available to meet 6 • Close liaison and consultation with affected staff 4 Facilities
Strategy business needs of line areas
• Budget allocation exceeded

• Demand for User • Monitor demand and supply on a monthly basis Director July 2009
Choice/traineeships and • Consult regularly with industry and business Training and
User Choice apprenticeships outstrips budget 6 employers 4 Tertiary
allocation • Work with Australian Government to reduce Education
pressures through skills SPP

9
Integrity risks Appendix-A4

(Fraud and Corruption Prevention Plan- F&CPP and Chief Executive Financial Instructions – CEFI)
Initial Target
Responsible
Issue/Activity Risk Risk Risk Mitigation Strategies Risk Timeframe
area/officer
Rating Rating

• Inappropriate use of Credit Cards • ACT Government Credit Card policy was Director Jan 2009
• Guidelines not readily available reviewed by the Department of Treasury in Finance &
• Inadequate checking procedures February 2007. This resulted in Treasury updating Facilities
Corporate Credit • Staff not trained the Model CEFI’s. As a result the Department’s
Cards
6 CEFI’s are in the process of being updated. 4
CEFI’s were adopted from the time they were
issued by Treasury.
• Similarly these changes will be incorporated into
the School Management Manual.

• Excessive use of for non-work • Invoices checked by directors / managers Directors Ongoing
related purposes and/or redirection • Staff pay for personal calls
Mobile phones of work phones to mobile phones for 6 4
personal gain.

• Improper use of Government • Regular updates of asset register Director Ongoing

vehicles and other equipment • Spot audits of asset register Finance and
• Computer roll out creates • Effective project management in place for any Facilities
opportunity for computer theft of new IT rollout
Assets, Information existing or new equipment • Guidelines and policies in place and updated Directors
and Services • Improper use of the internet 6 regularly 3
• Electronic data not secure and Director
protected Education
• Out-sourced training does not meet ICT
specifications

• False representation by applicants • Recruitment processes and procedures reviewed Director July 2008
regarding qualifications, skills, • Flex and leave management procedures Human
employment history, etc being made distributed to all Principals. Resources Ongoing
Personnel during recruitment process. • Leave guidelines included in induction training for
• Staff not completing leave all new staff Shared
Management applications • Monitoring of procedures recorded in the self Services
• Staff not completing sick leave audit package for Principals.
• Pre-employment checks 3
notifications 6 • Compliance audits and follow up implemented
• Flex and Leave • Staff not providing medical • Staffing Officer network established
management certificates when required • Monitoring of payroll services under SSA with
• Salary and other • School staffing officers failing to fully Shared Services
payments perform duties regarding leave • Intranet site updated with new guidelines
• Staff not maintaining accurate
timesheets
• Staff not reporting overpayments

10
 Appendix B1

2008 - 09 Strategic Risk Assessments Review Schedule

Issue Area responsible Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
08 08 08 08 08 08 09 09 09 09 09 09

Business Continuity Planning Director GR&R 3 3 3 3 3

COAG agenda Deputy Chief 3 3 3 3 3
Executive
Risk Management program

Records Management Director GR&R 3 3 3 3 3

Attraction and Retention Director, HR 3 3 3 3 3
2008-09 Budget Initiatives Executive Director 3 3 3 3 3
(Schools
Market Share Director, Schools 3 3 3 3 3
Safe Schools Director, Schools 3 3 3 3 3
P-2 (Early Learning) Strategy Director, Indigenous 3 3 3 3 3
Education and Early
Learning.
Capital Works Program Director, SCW 3 3 3 3 3
Pacific School Games Executive Director 3 3 3 3 3
(Schools)

11
 Appendix B2

2008 - 09 Audit Program – Proposed Schedule

Issue Area responsible Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
08 08 08 08 08 08 09 09 09 09 09 09

Compliance with Statutory Obligations Director GR&R

BCP Testing (schools) Director GR&R

Capital Works Project Management Director SCW

BSSS (BCP) Exec Officer BSSS

Audit program

Records Management Director GR&R

Schools Census 2009 Director MM&R

School Audit Director GR&R

• Principal self assessment

• Review of SSAP

• School safety

Fieldwork
Internal Audit Team
Drafting & Management Comment
External Auditors
Tabling

12
 Appendix D

Risk Assessment Matrix – Level of Risk

Consequence
>7: Extreme risk Injuries or ailments not Serious injury causing Life threatening injury or
Minor injury or First Aid Death or multiple life
– detailed action plan required People requiring medical
Treatment Case.
hospitalisation or multiple multiple serious injuries
threatening injuries.
treatment. medical treatment cases. causing hospitalisation.
6,7: High risk
– needs senior management attention
Scrutiny required by Scrutiny required by Intense public, political
Assembly inquiry or
5: Medium risk internal committees or external committees or and media scrutiny. Eg:
Reputation Internal Review
internal audit to prevent ACT Auditor General’s front page headlines, TV,
Commission of inquiry or
– specify management responsibility adverse national media.
escalation. Office, or inquest, etc. etc.
<5: Low risk
Minor errors in systems
– manage by routine procedures or processes requiring Policy procedural rule
One or more key
Strategies not consistent
Critical system failure,
accountability bad policy advice or
Business Process & corrective action, or occasionally not met or
requirements not met.
with Government’s
ongoing non-compliance.
Systems minor delay without services do not fully meet agenda. Trends show
High or Extreme risks must be reported Inconvenient but not Business severely
impact on overall needs. service is degraded.
to Senior Management and require detailed client welfare threatening. affected.
schedule.
treatment plans to reduce the risk to Low
or Medium. 1% of Budget 2.5% of Budget > 5% of Budget > 10% of Budget >25% of Budget
Financial or <$5K or <$50K or <$500K or <$5M or >$5M

Insignificant Minor Moderate Major Catastrophic

Numerical: Historical: 1 2 3 4 5
Is expected to occur in
most circumstances
>1 in 10 Almost Certain 5 6 7 8 9 10
Will probably occur
1 in 10 - 100 Likely 4 5 6 7 8 9
Likelihood

Might occur at some

1 in 100 – 1,000 time in the future Possible 3 4 5 6 7 8
Could occur but
1 in 1,000 –
10,000
doubtful Unlikely 2 3 4 5 6 7
May occur but only in
1 in 10,000 – exceptional
100,000 circumstances
Rare 1 2 3 4 5 6

13